Google plugs security holes in website

Google has patched security flaws in its website that would have exposed users to phishing and other attacks, according to security researchers.

by
Elizabeth Montalbano
, | 23 Dec 05

﻿

X

Email this to a friend

Characters remaining:

What is A + B?

Google has patched security flaws in its website that would have exposed users to phishing and other attacks designed to steal account information, according to security researchers.

Researchers at risk management software company Watchfire posted an advisory this week about the flaws, which are called XSS, or cross-site scripting, vulnerabilities. These types of vulnerabilities leave a site open to various attacks, such as account hijacking, changing of user settings, cookie theft/poisoning or false advertising.

The possibility for attacks at www.google.com was present when users encountered two different error pages, the "404 not found" error message and a website redirection error message.

Google did not properly secure these pages, which exposed users to possible attack by exploiting the 7-bit Unicode Transformation Format character-encoding mechanism, according to Watchfire.

The company corrected the flaws by using character-encoding enforcement, according to Watchfire.

In a statement emailed by a Google spokeswoman, the company said it was alerted to the security vulnerabilities "a little while ago" and fixed them quickly. No user data was compromised due to the flaws, according to the company.